Safety layer for integrated insulin delivery system

ABSTRACT

An integrated diabetes management (IDM) system includes a safety layer which, in one configuration has two components, one located between a glucose sensor and a controller and a second component located between a controller and a pump, to monitor various aspects of signals and modify those signals for compatibility and safety purposes. In one application, the safety layer receives output control signals from a controller and modifies those control signals as a function of an actual amount of insulin delivered to the user. The safety layer allows for an increased level of safety in the IDM system and permits development of separate hardware and software upgrades with the safety layer assuring that compatibility between components will continue.

CROSS-REFERENCES TO RELATED APPLICATIONS

This application claims the benefit of U.S. Application No. 61/180,774,filed May 22, 2009 which is incorporated herein by reference in itsentirety.

This application is also related to U.S. application Ser. No. 12/785,104entitled “Safety Features For Integrated Insulin Delivery System,” (U.S.Provisional Application No. 61/180,627, filed May 22, 2009); U.S.application Ser. No. 12/785,144 entitled “Usability Features ForIntegrated Insulin Delivery System,” (U.S. Provisional Application No.61/180,649, filed May 22, 2009); U.S. application Ser. No. 12/785,196entitled “Adaptive Insulin Delivery System,” (U.S. ProvisionalApplication No. 61/180,767, filed May 22, 2009; and U.S. applicationSer. No. 12/784,981 entitled “Methods for Reducing False HypoglycemiaAlarm Occurrence,” (U.S. Provisional Application No. 61/180,700, filedMay 22, 2009).

BACKGROUND

The invention is generally related to systems and methods for controlover the delivery of medication and more particularly, to a safetysystem for monitoring and controlling the delivery of medication.

Diabetes is a metabolic disorder that afflicts tens of millions ofpeople throughout the world. Diabetes results from the inability of thebody to properly utilize and metabolize carbohydrates, particularlyglucose. Normally, the finely-tuned balance between glucose in the bloodand glucose in bodily tissue cells is maintained by insulin, a hormoneproduced by the pancreas which controls, among other things, thetransfer of glucose from blood into body tissue cells. Upsetting thisbalance causes many complications and pathologies including heartdisease, coronary and peripheral artery sclerosis, peripheralneuropathies, retinal damage, cataracts, hypertension, coma, and deathfrom hypoglycemic shock.

In patients with insulin-dependent diabetes, the symptoms of the diseasecan be controlled by administering additional insulin (or other agentsthat have similar effects) by injection or by external or implantableinsulin pumps. It is understood that throughout this document, the terms“patient” and “user” are used interchangeably. The “correct” insulindosage is a function of the level of glucose in the blood. Ideally,insulin administration should be continuously readjusted in response tochanges in glucose level.

Presently, systems are available for monitoring glucose levels byimplanting a glucose sensitive probe into the user. Such probes measurevarious properties of blood or other tissues, including opticalabsorption, electrochemical potential and enzymatic products. The outputof such sensors can be communicated to a hand held device that is usedto calculate an appropriate dosage of insulin to be delivered into theblood stream in view of several factors, such as a user's presentglucose level, insulin usage rate, carbohydrates consumed or to beconsumed and exercise, among others. These calculations can then be usedto control a pump that delivers the insulin, either at a controlled“basal” rate, or as a “bolus.” When provided as an integrated system, acontinuous glucose monitor (“CGM”), a pump, and a control means worktogether to provide continuous glucose monitoring and insulin pumpcontrol. The components of integrated diabetes management (“IDM”)systems, whether implemented as a fully closed-loop, semi closed-loop,or an open loop system must be tightly integrated to insure the accuracyof the glucose monitor and to protect the user from either under- orover-dosage of insulin, as well as improved usability, control, andsafety of the system.

Not all components are likely to be made by a single developer or bebased on a universal design platform, and users have always tended tomix and match components to suit their individual needs. In the case ofa development platform for these systems, it is likely that bothoutside-designed (third-party) controller modules as well asinsider-developed systems and platforms may evolve over time, and morethan one version may exist at any given time. While modern trends oftenpromote hardware and software compatibility, when mixing componentscreated by different designers or manufacturers, one must consider thecareful design of hazard mitigation features, such as the safety limitsof such critical life-saving devices and components. As hardware andsoftware components get replaced or improved, it is possible that manyaspects of hazard mitigation becomes so coupled with the particularconfigurations of a particular case, that a careful redesign may benecessary to account for the new changes. Moreover, it is anticipatedthat system and value constraints can change due to component hardwareand software upgrades over the life of a closed loop or semi-closed loopdiabetes control system.

Under normal operating conditions, a fully autonomous closed loop systemis in full control of its insulin command calculation. This implies thatwhile closed loop is in effect, the user may be denied access to some ofthe system's functionality such as the ability to deliver a bolus.While, in some instances, this may have been designed from a safetyperspective, the user may perceive such features to inhibit control overthe ability to self-medicate or limit control over the device.Consequently, a closed loop or semi-closed loop system should be able toaccount for the effects of a user-initiated command such as a mealbolus, even if it is not necessarily accompanied with meal contentinformation. Yet, the requirement to allow such user intervention couldcause a momentary violation of pump delivery limits set by designers,even if the control system (without the addition of the invention hereindisclosed) was designed not to generate autonomous commands that exceedthe same pump delivery limits.

What has been needed, and heretofore unavailable, is an integrated,automated system combining continuous glucose monitoring and controlledinsulin delivery that provides modularity for rapid development ofsystem components by different designers, and that bestows an increasedsense of freedom to the user, such as the ability to self-medicate inconjunction with a closed-loop system, all while providing for safety inthe accurate delivery of insulin.

SUMMARY OF THE INVENTION

The invention is directed to a safety layer for an integrated diabetesmanagement system. In one aspect, there is provided an integrateddiabetes management system comprising a glucose sensor configured toprovide sensor glucose data representative of sensed glucose, a deliverydevice configured to deliver medication in response to a deliverycontrol signal, a controller programmed to receive glucose data and toprovide an output control signal as a function of the received glucosedata; and a safety layer programmed to receive at least one of thesensor glucose data and the output control signal, and to modify atleast one of the sensor glucose data and the output control signal;wherein the glucose data would be modified to become modified glucosedata; and wherein the output control signal would be modified to becomea modified output control signal that would be provided as the deliverycontrol signal.

In more detailed aspects, the safety layer is further programmed tomonitor the amount of medication delivered and to modify the outputcontrol signal at least partially as a function of the monitored amountof medication delivered, wherein the amount of medication deliveredmonitored by the safety layer comprises insulin on board. Additionally,the safety layer is further programmed to modify at least one of theglucose data and the output control signal in accordance with acharacteristic of at least one of the glucose sensor and the deliverydevice. Further, the safety layer is programmed to modify the sensorglucose data as a function of delivery device output, and the safetylayer is programmed to modify the output control signal as a function ofdelivery device output.

In other aspects, the integrated diabetes management system furthercomprises a communication module, wherein the controller comprises acontroller calculation software module configured to provide the outputcontrol signal and wherein the communication module is configured toprovide the delivery control signal to the delivery device, wherein thesafety layer is configured to intercept the output control signal andsubstitute the modified control signal to the communication modulewithout any reconfiguration of the communication module or thecontroller calculation software module. Additionally, the controllercomprises a controller calculation software module configured to receiveglucose data and provide the output control signal, and the safety layeris configured to intercept the sensor glucose data from the glucosesensor and substitute the modified glucose data to the controllercalculation software module without any reconfiguration of the glucosesensor or the controller calculation software module.

In yet more detailed aspects, the delivery device has a maximum deliveryrate, and the safety layer is further programmed to determine themaximum delivery rate of the delivery device, determine the amount ofmedication to be delivered by the output control signal, and if theoutput control signal is configured for a higher delivery rate than themaximum delivery rate of the delivery device, the safety layercalculates a modified delivery rate and schedule based at least in parton the maximum delivery rate of the delivery device to achieve deliveryof the same amount of medication as configured by the output controlsignal. Further, the safety layer is further programmed to taper themodified delivery rate over the delivery schedule. The safety layer isfurther programmed to display the modified delivery rate and thedelivery schedule.

In another aspect, the glucose sensor includes an output having a firstrange representative of glucose levels, the controller has an inputhaving a second range representative of glucose levels, wherein thesecond range is different from the first range, and the safety layer isconfigured to receive glucose data from the glucose sensor, modify thereceived glucose data for compatibility with the second range, andsubstitute the modified glucose data to the input of the controller.

In a related aspect, the glucose sensor provides glucose data having afirst format, and the controller is configured to receive glucose datahaving a second format, the safety layer is further programmed todetermine if the first format and the second format are equivalent, ifthe first and second data formats are not equivalent, the safety layeris programmed to modify the glucose data signals to the second formatand substitute the modified glucose signals to the controller.

In other detailed aspects, the safety layer further comprises an inputsafety module operably connected to the glucose sensor, and an outputsafety module operably connected to the medication delivery device,wherein the output safety module provides feedback to the input safetymodule. Further, the feedback comprises a function of a limit on thedelivery device and the modified control signal and wherein the modifiedglucose data is further determined as a function of the feedback. Also,the delivery control signal is representative of a required medicationamount for delivery, wherein the safety layer determines a maximumdelivery rate of the medication delivery device and is configured tocalculate a delivery schedule as a factor of the maximum delivery rateand the required medication amount, the required medication amount beingdetermined at least partially by the sensed glucose.

In yet further aspects, the integrated diabetes management systemfurther comprises a memory module, and an input, wherein the safetylayer is configured to store the required medication amount in thememory and update the required medication amount according to aremaining delivery schedule, the modified output control signal, and adelivery command received at the input. In a further aspect, thedelivery schedule is a tapered delivery of insulin.

In much more detailed aspects, the safety layer is further programmed toprovide the modified control signal such that it conforms to acurrent-driven hardware standard. The safety layer is further programmedto provide the modified control signal such that it conforms to avoltage-driven hardware standard.

In method aspects according to the invention, there is provided a methodof diabetes management comprising sensing glucose and providing sensorglucose data representative of sensed glucose, delivering medication inresponse to a delivery control signal, receiving glucose data andproviding an output control signal as a function of the received glucosedata, monitoring the amount of medication delivered, and receiving atleast one of the sensor glucose data and the output control signal, andmodifying at least one of the sensor glucose data and the output controlsignal, wherein the glucose data would be modified to become modifiedglucose data, wherein the output control signal would be modified tobecome a modified output control signal, communicating the modifiedoutput control signal as the delivery control signal, and whereinmodifying at least one of the glucose data and the output control signalincludes modifying as a function of the monitored amount of medicationdelivered.

In more detailed aspects, there is provided calculating the outputcontrol signal, and intercepting the output control signal andsubstituting the modified control signal as the delivery control signalwithout reconfiguring the step of calculating the output control signalor the step of communicating a delivery control signal. Additionally,aspects further comprise safety monitoring the sensor glucose databetween the steps of providing sensor glucose data and receiving glucosedata, and separately safety monitoring the output control signal.Additionally the step of separately safety monitoring the output controlsignal further comprises also providing feedback to the safetymonitoring of the sensor glucose data step. The step of providingfeedback comprises providing feedback as a function of a limit on thedelivery of medication and on the modified output control signal, andwherein the step of modifying glucose data further includes modifyingglucose data as a function of the feedback.

The features and advantages of the invention will be more readilyunderstood from the following detailed description which should be readin conjunction with the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic diagram illustrating an exemplary embodiment of anelectronic device and its various components in operable communicationwith one or more medical devices, such as a glucose monitor or drugdelivery pump, and optionally, in operable communication with a remotecomputing device;

FIG. 2 depicts an integrated diabetes management (“IDM”) system inaccordance with aspects of the present invention;

FIG. 3 depicts an IDM system of FIG. 2 further illustrated by transferfunctions;

FIG. 4A depicts an embodiment of a safety layer as two distinctcomponents;

FIG. 4B depicts a diagram of the feedback portion of an IDM system,including the safety layer, in accordance with aspects of the presentinvention;

FIG. 5 depicts a diagram of the IDM system using a safety layercomprising linear conditioning; and

FIG. 6 depicts an equivalent diagram of the IDM system using a safetylayer comprising linear conditioning;

FIGS. 7A, 7B, and 7C depict a schematic diagram of the components of anIDM system, including an embodiment of a safety layer.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

For the purposes of promoting an understanding of the principles of theinvention, reference will now be made to a number of illustrativeembodiments shown in the attached drawings and specific language will beused to describe the same.

Referring now to FIG. 1, a block diagram of one illustrative embodimentof a system 10 for monitoring, determining and/or providing drugadministration information is shown. It should be understood for thepurpose of the depicted embodiments that system 10 is depicted as an IDMsystem including a CGM sensor device, an insulin pump, and a controlmeans (for example, a handheld device) that may work together to providecontinuous glucose monitoring and insulin pump control, and that mayfurther be implemented as a fully closed-loop, semi closed-loop, or anopen loop system. In the illustrated embodiment, the system 10 includesan electronic device 12 having a processor 14 in data communication witha memory unit 16, an input device 18, a display 20, and a communicationinput/output unit 24. The electronic device 12, which may be handheld,may be provided in the form of a general purpose computer, centralserver, personal computer (PC), laptop or notebook computer, personaldata assistant (PDA) or other hand-held device, external infusion pump,glucose meter, analyte sensing system, or the like. The electronicdevice 12 may be configured to operate in accordance with one or moreoperating systems including for example, but not limited to, WINDOWS,Unix, LINUX, BSD, SOLARIS, MAC OS, or, an embedded OS such as ANDROID,PALM OS, WEBOS, eCOS, QNX, or WINCE, and may be configured to processdata according to one or more internet protocols for example, but notlimited to, NetBios, TCP/IP and APPLETALK. The processor 14 ismicroprocessor-based, although the processor 14 may be formed of one ormore general purpose and/or application specific circuits and operableas described hereinafter. The memory unit 16 includes sufficientcapacity to store operational data, one or more software algorithmsexecutable by the processor 14, and other user inputted data. The memoryunit 16 may include one or more memory or other data storage devices.

Display 20 is also included for viewing information relating tooperation of the device 12 and/or system 10. Such a display may be adisplay device including for example, but not limited to, a lightemitting diode (LED) display, a liquid crystal display (LCD), a cathoderay tube (CRT) display, or the like. Additionally, display 20 mayinclude an audible display configured to communicate information to auser, another person, or another electronic system having audiorecognition capabilities via one or more coded patterns, vibrations,synthesized voice responses, or the like. Additionally, display 20 mayinclude one or more tactile indicators configured to display tactileinformation that may be discerned by the user or another person.

Input device 18 may be used in a manner to input and/or modify data.Input device 18 may include a keyboard or keypad for enteringalphanumeric data into the processor 14. Such a keyboard or keypad mayinclude one or more keys or buttons configured with one or more tactileindicators to allow users with poor eyesight to find and select anappropriate one or more of the keys, and/or to allow users to find andselect an appropriate one or more of the keys in poor lightingconditions. Additionally, input device 18 may include a mouse or otherpoint and click device for selecting information presented on thedisplay 20. Additionally, input device 18 may include display 20,configured as a touch screen graphical user interface. In thisembodiment, the display 20 includes one or more selectable inputs that auser may select by touching an appropriate portion of the display 20using an appropriate implement.

Input device 18 may also include a number of switches or buttons thatmay be activated by a user to select corresponding operational featuresof the device 12 and/or system 10. Input device 18 may also be orinclude voice-activated circuitry responsive to voice commands toprovide corresponding input data to the processor 14. The input device18 and/or display 20 may be included with or separate from theelectronic device 12.

System 10 may also include a number of medical devices 30, 32 whichcarry out various functions, for example, but not limited to,monitoring, sensing, diagnostic, communication and treatment functions.In such embodiments, any of the one or more of the medical devices 30,32 may be implanted within the user's body, coupled externally to theuser's body (for example, such as an infusion pump), or separate fromthe user's body. In some embodiments, medical devices 30, 32 arecontrolled remotely by electronic device 12. Additionally, one or moreof the medical devices may be mounted to and/or form part of theelectronic device 12. For example, in some embodiments, electronicdevice 12 includes an integrated glucose meter or strip port and isconfigured to receive a signal representative of a glucose value anddisplay the value to a user. Electronic device 12 may further beconfigured to be used to calibrate a continuous glucose monitor (CGM) orfor calculating insulin amounts for bolus delivery. Typically, themedical devices 30, 32 are each configured to communicate wirelesslywith the communication I/O unit 22 of the electronic device 12 via oneof a corresponding number of wireless communication links Wirelesscommunication is preferable when medical device 30, 32 is configured tobe located on a remote part of the body, for example, in an embodimentwherein medical device 30, 32 is a continuous glucose monitor (CGM) orsensor, or insulin pump, worn under clothing.

Electronic device 12 communicates with medical device 30, 32 via awireless protocol, or, in some embodiments, is directly connected via awire. The wireless communications between the various components of thesystem 10 may be one-way or two-way. The form of wireless communicationused may include, but should not be limited to, radio frequency (RF)communication, infrared (IR) communication, Wi-Fi, RFID (inductivecoupling) communication, acoustic communication, capacitive signaling(through a conductive body), galvanic signaling (through a conductivebody), BLUETOOTH, or the like. Electronic device 12 and each of themedical devices 30, 32 include circuitry for conducting such wirelesscommunications circuit. In another embodiment, one or more of themedical devices 30, 32 may be configured to communicate with electronicdevice 12 via one or more serial or parallel configured hardwireconnections therebetween.

Each of the one or more medical devices 30, 32 may include one or moreof a processing unit 33, input 34 or output 36 circuitry and/or devices,communication ports 38, and/or one or more suitable data and/or programstorage devices 40. It may be understood that not all medical devices30, 32 will have the same componentry, but rather will only have thecomponents necessary to carry out the designed function of the medicaldevice. For example, in one embodiment, a medical device 30, 32 may becapable of integration with electronic device 12 and thus omit input 34,display 36, and/or processor 33. In another embodiment, medical device30, 32 is capable of stand-alone operation, and is further configured tofunction as electronic device 12, should communication with electronicdevice 12 be interrupted. In another embodiment, medical device 30, 32may include processor, memory and communication capability, but does nothave an input 34 or a display 36. In still another embodiment, themedical device 30, 32 may include an input 34, but lack a display 36.

In some embodiments, the system 10 may additionally include a remotedevices 50, 52. The remote device 50, 52 may include a processor 53,which may be identical or similar to the processor 33 or processor 14, amemory or other data storage unit 54, a input device 56, which mayinclude any one or more of the input devices described hereinabove, adisplay unit 58 which may include any one or more of the display unitsdescribed hereinabove, and a communication I/O circuitry 60. The remotedevice 50, 52 may be configured to communicate with the electronicdevice 12 or medical devices(s) 30, 32 via any wired or wirelesscommunication interface 62, which may include any of the communicationinterfaces or links described hereinabove. Although not specificallyshown, remote device 50, 52 may also be configured to communicatedirectly with one or more medical devices 30, 32, instead ofcommunicating with the medical device through electronic device 12.

System 10 may be provided in any of a variety of configurations, andexamples of some such configurations will now be described. It will beunderstood, however, that the following examples are provided merely forillustrative purposes, and should not be considered limiting in any way.Those skilled in the art may recognize other possible implementations ofa fully closed-loop, semi closed-loop, or open loop diabetes controlarrangement, and any such other implementations are contemplated by thisdisclosure.

In a first exemplary implementation of the system 10, the medical device30, 32 is provided in the form of one or more sensors 31 (FIG. 2) orsensing systems that are external to the user's body and/or sensortechniques for providing information relating to the physiologicalcondition of the user. Examples of such sensors or sensing systems mayinclude, but should not be limited to, a glucose strip sensor/meter, abody temperature sensor, a blood pressure sensor, a heart rate sensor,one or more bio-markers configured to capture one or more physiologicalstates of the body, for example, HBAlC, or the like. In implementationsthat include a glucose sensor, system 10 may be a fully closed-loopsystem operable in a manner to automatically monitor glucose and deliverinsulin, as appropriate, to maintain glucose at desired levels.Information provided by any such sensors and/or sensor techniques may becommunicated by system 10 using any one or more wired or wirelesscommunication techniques.

The various medical devices 30, 32 may additionally include an insulinpump 35 (FIG. 2) configured to be worn externally to the user's body andalso configured to controllably deliver insulin to the user's body. Inone such embodiment, medical devices 30, 32 include at least oneimplantable or externally worn drug pump. In one embodiment, an insulinpump is configured to controllably deliver insulin to the user's body.In this embodiment, the insulin pump is also configured to wirelesslytransmit information relating to insulin delivery to the handheld device12. The handheld device 12 is configured to monitor insulin delivery bythe pump, and may further be configured to determine and recommendinsulin bolus amounts, carbohydrate intake, exercise, and the like tothe user. The system 10 may be configured in this embodiment to providefor transmission of wireless information from the handheld device 12 tothe insulin pump.

In an implementation of the system 10, the electronic device 12 isprovided in the form of a handheld device, such as a PDA or otherhandheld device. In a further embodiment, the handheld device 12 isconfigured to control insulin delivery to the user by determininginsulin delivery commands and transmitting such commands to an insulinpump 35 (FIG. 2). The insulin pump, in turn, is configured to receivethe insulin delivery commands from the handheld device 12, and todeliver insulin to the user according to the commands. The insulin pump,in this embodiment, may further process the insulin pump commandsprovided by the handheld unit 12. The system 10 will typically beconfigured in this embodiment to provide for transmission of wirelessinformation from the insulin pump back to the handheld device 12 tothereby allow for monitoring of pump operation. The system 10 mayfurther include one or more implanted and/or external sensors of thetype described in the previous example.

Those skilled in the art will recognize other possible implementationsof a fully closed-loop, semi closed-loop, or open loop diabetes controlarrangement using at least some of the components of the system 10illustrated in FIG. 1. For example, the electronic device 12 in one ormore of the above examples may be provided in the form of a PDA, laptop,notebook or personal computer configured to communicate with one or moreof the medical devices 30, 32, at least one of which is an insulindelivery system, to monitor and/or control the delivery of insulin tothe user. In further embodiments, electronic device may include acommunication port 22 in the form of a BLUETOOTH or other wirelesstransmitter/receiver, serial port or USB port, or other customconfigured serial data communication port. In some embodiments, remotedevice 50, 52 is configured to communicate with the electronic device 12and/or one or more of the medical devices 30, 32, to control and/ormonitor insulin delivery to the user, and/or to transfer one or moresoftware programs and/or data to the electronic device 12. Remote device50, 52 may take the form of a PC, PDA, laptop or notebook computer,handheld or otherwise portable device, and may reside in a caregiver'soffice or other remote location. In the various embodiments,communication between the remote device and any component of the system10 may be accomplished via an intranet, internet (for example,world-wide-web), cellular, telephone modem, RF, USB connection cable, orother communication link 62. Any one or more internet protocols may beused in such communications. Additionally, any mobile content deliverysystem; for example, Wi-Fi, WiMAX, BLUETOOTH, short message system(SMS), or other message scheme may be used to provide for communicationbetween devices comprising the system 10.

FIG. 2 illustrates the components, and operation and control flow, of aclosed-loop system. In the depicted embodiment, the system generallyincludes a sensor and a pump, and a controller module for receivinginput from the sensor and for controlling the pump. The term “controllermodule” as used herein is defined as a hardware device that receives asignal representative of a glucose (for example, from a sensor) andproduces signals to control an insulin delivery device (for example, apump). In some embodiments, the controller module is part of or includeselectronic device 12. In some embodiments, electronic device 12 (orhandheld controller 12) is part of or includes the controller module.Thus, the controller module may be depicted in the drawings as either acontroller or an electronic device 12, and the terms handheld electronicdevice, controller module, electronic device, and handheld device, areused herein interchangeably. In some embodiments, the controller moduleis hardware included with or interconnected to electronic device 12. Infurther embodiments, the controller module is hardware included with orinterconnected to sensor 31 and/or pump 35.

In some embodiments, the sensor and/or pump is part of, or includesmedical device 30, 32 (that is, medical device 30, 32 can be a pump or asensor). In some embodiments, the controller module may be part of, orbe integrated with, a sensor 31 or a pump 35, or other medical devices30, 32. Handheld controller 12 preferably has a user interface screen 20to display information to the user and to request from the user theinput of parameters and/or commands. Handheld controller 12 may furthercomprise a processor 14, and an input means 18, such as buttons or atouch screen, for the user to input and/or set parameters and commandsto the system.

Handheld controller 12 includes a memory means 16 configured to storeparameters and one or more algorithms that may be executed by processor14. For example, memory means 16 may store one or more predeterminedparameters or algorithms to evaluate glucose data, trends in that data,and future prediction models. A user may also input parameters usinginput 18 to provide user-specific algorithms such as pumping patterns oralgorithms for determining an amount of drug (that is, insulin) to bedelivered by an insulin delivery device (IDD), pump 35. Input 18 mayalso be used to send commands or to bring up a menu of commands for theuser to choose from. In some embodiments, these components (that is,input, processor, and memory) comprise the control module. Theinformation may be displayed, for example, on display 20 of handheldcontroller 12, and user input may be received via input 18. In oneembodiment, handheld controller 12 takes into account for bothdeliveries commanded by the controller as well as deliveries commandedby human input intended to correct or compensate for specific aspectsnot necessarily known to the controller. The components of the IDMsystem may cooperatively work together as a single device or separatephysical devices.

In one embodiment, handheld controller 12 is provided to allow the userto view via graphical display 20 his or her glucose levels and/or trendsand to control the pump 35. Handheld controller 12 sends commands tooperate pump 35, such as an automatic insulin basal rate or bolusamount. Handheld controller 12 may automatically send commands based oninput from sensor 31 or may send commands after receiving user input viainput 18 or input 34 on medical device 30, 32. In at least oneembodiment, handheld controller 12 analyzes data from sensor 31 and/orpump 35, and/or communicates data and commands to them. In oneembodiment, handheld controller 12 automatically sends the commands topump 35 based on a sensor reading. Handheld controller 12 may also sendcommands to direct the pumping action of the pump 35. Handheldcontroller 12 sends and receives data to and from sensor 31 over a overa wired connection or wireless communication protocol 42. In anotherembodiment, data based on the reading is first provided to handheldcontroller 12 which analyzes the data and presents information to a useror a health care provider (for example, using remote device 50, 52),wherein human input is required to generate the command. For example,handheld controller 12 may request an acknowledgment or feedback fromthe user before sending the commands, allowing the user to intervene incommand selection or transmission. In a further embodiment, handheldcontroller 12 merely sends alerts or warnings to the user and allows theuser to manually select and send the commands via the input 18 ofhandheld controller 12. In yet another embodiment handheld controller 12manages commands originated by the control algorithm with or withoutuser approval or intervention, and commands initiated by the user areindependent of the control algorithm. The purpose of handheld controller12 is to process sensor data in real-time and determine whether theglucose levels in a user is too high or too low, and to provide aprediction of future glucose levels based upon sensor readings and thecurrent basal rate and/or recent bolus injections.

In some embodiments, handheld controller 12 includes a means forcalibrating the system, including, inputting at the device a fingerstick glucose measurement or taking an actual blood sample to obtain aglucose measurement. The device may be integrated with a strip port sothat a user may use the strip port to take a manual glucose reading. Thestrip port includes a known calibration and is configured to take ablood reading to provide a value representative of a glucose. Thereading provided from the strip port is internally received at handheldcontroller 12 and compared to a value from sensor 31 to configure and/orcalibrate the system.

Sensor 31 is configured to read a glucose level of a user and to sendthe reading to be analyzed by handheld controller 12. In someembodiments, sensor 31 is a glucose monitor with a strip port formanually receiving a blood sample. In the depicted embodiments, sensor31 is a continuous glucose monitoring (CGM) sensor that pierces and/oris held in place at the surface of a user's skin to continuously monitorglucose levels in a user. In an embodiment, CGM sensor 31 (a portablemedical device 30, 32) is attached to the surface of a user's skin andincludes a small sensor device that at least partially pierces theuser's skin and is located in the dermis to be in contact theinterstitial fluid. The sensor device may also be held in place at theskin by a flexible patch. Accordingly, CGM Sensor 31 may providecontinuous monitoring of user glucose levels. The analyte monitoringsystem may also include a transmitter and/or receiver for transmittingsensor data to a separate device (for example, pump 35 or handheldelectronic device 12). In some embodiments, CGM sensor 31 is in the formof a skin-mounted unit on a user's arm.

In the depicted embodiments, an insulin device or pump 35 deliversinsulin to the user through a small tube and cannula (also known as the“infusion set”) percutaneously inserted into the user's body. Insulinpump 35 may be in the form of a medical pump, a small portable device(similar to a pager) worn on a belt or placed in a pocket, or it may bein the form of a patch pump that is affixed to the user's skin. In oneembodiment, pump 35 is attached to the body by an adhesive patch and isnormally worn under clothes. Pump 35 is preferably worn on the skin,includes a power supply, and is relatively small and of a low profile sothat it can be hidden from view in a pocket or attached to the skinunder clothing.

The pump has disposable and non-disposable components. The disposablecomponents include the reservoir and cannula and (optional) adhesivepatch. The non-disposable/reusable component includes the pumpingelectronics, transmitter and/or receiver, and pump mechanics (notshown). Pump 35 and cannula may be part of the same physical device orcomprise separate modules. Pump 35 may also comprise a transmitterand/or receiver for transmitting and/or receiving a signal viaconnection 42 from handheld controller 12 so that it can be controlledremotely and can report pump-specific data to a remote location.

When provided as an integrated system, the components of system 10 worktogether to provide real-time continuous glucose monitoring and controlof an insulin pump and to allow a user to take immediate corrective orpreventative action when glucose levels are either too high or too low.Because pump 35 and sensor 31 are miniaturized they may have verylimited control panels, if any at all, and thus, in some embodiments,sensor 31, pump 35, and controller 12 may all be integrated into asingle device. In other embodiments, sensor 31, pump 35, and controller12 may be organized as two or three separate components. The componentsmay be in wired communication, radio communication, fluid connection, orother communication protocol suitable for sending and receivinginformation between the components. Some components may be constructedto be reusable while others are disposable. For example, the cannula andthe sensor may be disposable pieces apart from the pump 35 and CGMsensor 31 which are both preferably reusable. The cannula and/or sensorwill preferably be in fluid isolation from other components. Eachcomponent may have modular fittings so that the disposable componentsmay interact with the non-disposable components while remaining in fluidisolation from each other.

Generally, the concentration of glucose in a person changes as a resultof one or more external influences such as meals and exercise, and alsochanges resulting from various physiological mechanisms such as stress,illness, menstrual cycle and the like. In a person with diabetes, suchchanges can necessitate monitoring the person's glucose level andadministering insulin or other glucose-altering drug, for example,glucose lowering or raising drug, as needed to maintain the person'sglucose within desired ranges. In any of the above examples, the system10 is thus configured to determine, based on some amount ofuser-specific information, an appropriate amount, type and/or timing ofinsulin or other glucose-altering drug to administer in order tomaintain normal glucose levels without causing hypoglycemia orhyperglycemia.

In some embodiments, the system 10 is configured in a manner to controlone or more external (for example, subcutaneous, transcutaneous ortransdermal) and/or implanted insulin pumps to automatically infuse orotherwise supply the appropriate amount and type of insulin to theuser's body in the form of one or more insulin boluses. Such insulinbolus administration information may be or include, for example, insulinbolus quantity or quantities, bolus type, insulin bolus delivery time,times or intervals (for example, single delivery, multiple discretedeliveries, continuous delivery, etc.), and the like. Examples of usersupplied information may be, for example but not limited to, userglucose concentration, information relating to a meal or snack that hasbeen ingested, is being ingested, or is to be ingested sometime in thefuture, user exercise information, user stress information, user illnessinformation, information relating to the user's menstrual cycle, and thelike.

System 10 may also include a delivery mechanism for deliveringcontrolled amounts of a drug; for example, insulin, glucagon, incretin,or the like to pump 35, and/or offering an actionable therapyrecommendation to the user via the display 20, for example, ingestingcarbohydrates, exercising, etc. In other embodiments, the system 10 isconfigured in a manner to display or otherwise notify the user of theappropriate amount, type, and/or timing of insulin in the form of aninsulin recommendation. In such embodiments, hardware and/or softwareforming part of the system 10 allows the user to accept the recommendedinsulin amount, type, and/or timing, or to reject it. If accepted, thesystem 10, in one embodiment, automatically infuses or otherwiseprovides the appropriate amount and type of insulin to the user's bodyin the form of one or more insulin boluses. If, on the other hand, theuser rejects the insulin recommendation, hardware and/or softwareforming part of the system 10 allows the user to override the system 10and manually enter insulin bolus quantity, type, and/or timing. Thesystem 10 is then configured in a manner to automatically infuse orotherwise provide the user specified amount, type, and/or timing ofinsulin to the user's body in the form of one or more insulin boluses.

The appropriate amount and type of insulin corresponding to the insulinrecommendation displayed by the system 10 may be manually injected into,or otherwise administered to, the user's body. It will be understood,however, that the system 10 may additionally be configured in likemanner to determine, recommend, and/or deliver other types of medicationto a user.

System 10 is operable to determine and either recommend or administer anappropriate amount of insulin or other glucose lowering drug to the userin the form of one or more insulin boluses. In determining suchappropriate amounts of insulin, system 10 requires at least someinformation relating to one or more external influences and/or variousphysiological mechanisms associated with the user. For example, if theuser is about to ingest, is ingesting, or has recently ingested, a mealor snack, the system 10 generally requires some information relating tothe meal or snack to determine an appropriate amount, type and/or timingof one or more meal compensation boluses. When a person ingests food inthe form of a meal or snack, the person's body reacts by absorbingglucose from the meal or snack over time. For purposes of thisdisclosure, any ingesting of food may be referred to hereinafter as a“meal,” and the term “meal” therefore encompasses traditional meals, forexample, breakfast, lunch and dinner, as well as intermediate snacks,drinks, etc.

Referring to FIG. 2, in some embodiments, in order for continuousglucose monitoring and/or control system 10, including controller 12,pump 35, and sensor 31, to be most effective in treating a user 63, auser information profile 64 and optimal control parameters 65 areprovided. In one embodiment, certain control parameters, for example,target glucose threshold, an overall glucose safe range, and the likecan often be predetermined based on known values for common user typesand are typically known in the art. Other embodiments, may supplementknown ranges by information observed and determined by user's 63 healthcare provider (“HCP”). In some embodiments, user information profileincludes information specific to patent 63, including a quantifiedglucose absorption profile created based on, for example, body type,race, known tolerances, historical data and the like.

The general shape of a glucose absorption profile for any person risesfollowing ingestion of the meal, peaks at some measurable time followingthe meal, and then decreases thereafter. The speed, that is, the ratefrom beginning to completion, of any one glucose absorption profiletypically varies for a person by meal composition, by meal type or time(for example, breakfast, lunch, dinner, or snack) and/or according toone or more other factors, and may also vary from day-to-day underotherwise identical meal circumstances. Generally, the informationrelating to such meal intake information supplied by the user to thesystem 10 should contain, either explicitly or implicitly, an estimateof the carbohydrate content of the meal or snack, corresponding to theamount of carbohydrates that the user is about to ingest, is ingesting,or has recently ingested, as well as an estimate of the speed of overallglucose absorption from the meal by the user.

The estimate of the amount of carbohydrates that the user is about toingest, is ingesting, or has recently ingested, may be provided by theuser in any of various forms. Examples include, but are not limited to,a direct estimate of carbohydrate weight (for example, in units of gramsor other convenient weight measure), an amount of carbohydrates relativeto a reference amount (for example, dimensionless), an estimate of mealor snack size (for example, dimensionless), and an estimate of meal orsnack size relative to a reference meal or snack size (for example,dimensionless). Other forms of providing for user input of carbohydratecontent of a meal or snack will occur to those skilled in the art, andany such other forms are contemplated by this disclosure.

The estimate of the speed of overall glucose absorption from the meal bythe user may likewise be provided by the user in any of various forms.For example, for a specified value of the expected speed of overallglucose absorption, the glucose absorption profile captures the speed ofthe meal taken by the user. As another example, the speed of overallglucose absorption from the meal by the user also includes time durationbetween ingesting of the meal by a person and the peak glucoseabsorption of the meal by that person, which captures the duration ofthe meal taken by the user. The speed of overall glucose absorption maythus be expressed in the form of meal speed or duration. Examples of theexpected speed of overall glucose absorption parameter in this case mayinclude, but are not limited to, a compound parameter corresponding toan estimate of the meal speed or duration (for example, units of time),a compound parameter corresponding to meal speed or duration relative toa reference meal speed or duration (for example, dimensionless), or thelike.

As another example of providing the estimate of the expected speed ofoverall glucose absorption parameter, the shape and duration of theglucose absorption profile may be mapped to the composition of the meal.Examples of the expected speed of overall glucose absorption parameterin this case may include, but are not limited to, an estimate of fatamount, protein amount and carbohydrate amount (for example, in units ofgrams) in conjunction with a carbohydrate content estimate in the formof meal size or relative meal size, an estimate of fat amount, proteinamount and carbohydrate amount relative to reference fat, protein andcarbohydrate amounts in conjunction with a carbohydrate content estimatein the form of meal size or relative meal size, and an estimate of atotal glycemic index of the meal or snack (for example, dimensionless).The term “total glycemic index” is defined for purposes of thisdisclosure as a parameter that ranks meals and snacks by the speed atwhich the meals or snacks cause the person's blood sugar to rise. Thus,for example, a meal or snack having a low glycemic index produces agradual rise in blood sugar whereas a meal or snack having a highglycemic index produces a fast rise in blood sugar. One exemplarymeasure of total glycemic index may be, but is not limited to, the ratioof carbohydrates absorbed from the meal and a reference value, forexample, derived from pure sugar or white bread, over a specified timeperiod, for example, 2 hours. Other forms of providing for user input ofthe expected overall speed of glucose absorption from the meal by theuser, and/or for providing for user input of the expected shape andduration of the glucose absorption profile generally will occur to thoseskilled in the art, and any such other forms are contemplated by thisdisclosure.

Generally, the concentration of glucose in a person with diabeteschanges as a result of one or more external influences such as mealsand/or exercise, and may also change resulting from variousphysiological mechanisms such as stress, menstrual cycle and/or illness.In any of the above examples, the system 10 responds to the measuredglucose by determining the appropriate amount of insulin to administerin order to maintain normal glucose levels without causing hypoglycemia.In some embodiments, the system 10 is implemented as a discrete systemwith an appropriate sampling rate, which may be periodic, aperiodic ortriggered, although other continuous systems or hybrid systems may beimplemented as described above.

As one example of a diabetes control system, one or more softwarealgorithms may include a collection of rule sets which use (1) glucoseinformation, (2) insulin delivery information, and/or (3) subject inputssuch as meal intake, exercise, stress, illness and/or otherphysiological properties to provide therapy, etc., to manage the user'sglucose level. The rule sets are generally based on observations andclinical practices as well as mathematical models derived through orbased on analysis of physiological mechanisms obtained from clinicalstudies. In the exemplary system, models of insulin pharmacokinetics andpharmacodynamics, glucose pharmacodynamics, meal absorption and exerciseresponses of individual users are used to determine the timing and theamount of insulin to be delivered. A learning module may be provided toallow adjustment of the model parameters when the user's overallperformance metric degrades (for example, adaptive algorithms, usingBayesian estimates, may be implemented). An analysis model may also beincorporated which oversees the learning to accept or reject learning.Adjustments are achieved utilizing heuristics, rules, formulae,minimization of cost function(s) or tables (for example, gainscheduling).

Predictive models can be programmed into the processors of the systemusing appropriate embedded or inputted software to predict the outcomeof adding a controlled amount of insulin or other drug to a user interms of the an expected glucose value. The structures and parameters ofthe models define the anticipated behavior.

Any of a variety of controller design methodologies, such as PIDsystems, full state feedback systems with state estimators, outputfeedback systems, LQG controllers, LQR controllers,eigenvalue/eigenstructure controller systems, and the like, could beused to design algorithms to perform physiological control. Theytypically function by using information derived from physiologicalmeasurements and/or user inputs to determine the appropriate controlaction to use. While the simpler forms of such controllers use fixedparameters (and therefore rules) for computing the magnitude of controlaction, the parameters in more sophisticated forms of such controllersmay use one or more dynamic parameters. In some embodiments, the one ormore dynamic parameters take the form of one or more continuously ordiscretely adjustable gain values. In some embodiments, specific rulesfor adjusting such gains are defined on an individual basis, and, inother embodiments, on the basis of a user population. In either casethese rules will typically be derived according to one or moremathematical models. Such gains are scheduled according to one or morerule sets designed to cover the expected operating ranges in whichoperation is typically nonlinear and variable, thereby reducing sourcesof error.

Model based control systems, such as those utilizing model predictivecontrol algorithms, can be constructed as a black box wherein equationsand parameters have no strict analogs in physiology. Rather, such modelsmay instead be representations that are adequate for the purpose ofphysiological control. The parameters are typically determined frommeasurements of physiological parameters such as glucose, insulinconcentration, and the like, and from physiological inputs such as foodintake, alcohol intake, insulin doses, and the like, and also fromphysiological states such as stress level, exercise intensity andduration, menstrual cycle phase, and the like. These models are used toestimate current glucose or to predict future glucose values. Suchmodels may also take into account unused insulin remaining in the bloodafter a bolus is given, for example, in anticipation of a meal. Suchunused insulin will be variously described as unused, remaining, or“insulin on board.”

Insulin therapy is derived by the system based on the model's ability topredict glucose for various inputs. Other modeling techniques may beadditionally used including for example, but not limited to, buildingmodels from first principles.

As described above, system 10 includes an analyte monitor thatcontinuously monitors the glucose levels in a user. The controllermodule is programmed with appropriate software and uses models asdescribed above to predict the effect of carbohydrate ingestion andexercise, among other factors on the predicted level of glucose. Such amodel must also take into account the amount of insulin remaining in theblood stream from a previous bolus or basal rate infusion whendetermining what or whether or not to provide a bolus of insulin.

The controller module is typically programmed to provide a “basal rate,”which is the rate of continuous supply of insulin by an insulin deliverydevice such as a pump that is used to maintain a desired glucose levelin the bloodstream of a user. Periodically, due to various events thataffect the metabolism of a user, such as eating a meal or engaging inexercise, a “bolus” is required. A “bolus” is a specific amount ofinsulin that is required to raise the blood concentration of insulin toan effective level to counteract the effects of the ingestion ofcarbohydrates during a meal and also takes into account the effect ofexercise on the glucose level.

In some embodiments, system 10 includes a number of medical devices 30,32, including, but not limited to, a CGM sensor 31 and insulin pump 35.As such, electronic device 12 or medical device 30, 32, in an integratedsystem, may represent a device which performs the intended function ofseveral of these components. One purpose of the safety layer is toenvelop critical components of diabetes control system 10 (depicted byFIGS. 2 and 3) with a safety layer that maximizes the modularity ofsystem components with respect to value constraints that can change dueto component hardware and software upgrades over the life of system 10.

FIG. 2 shows a typical closed loop system using sensor 31 as a means tomonitor glucose level in a user and insulin pump 35 as a means toregulate glucose. As long as the hard limits (for example, a maximumdelivery rate) and other limits due to safety considerations areaccounted for, then the system should operate as intended, thus keepingglucose levels healthy and preventing diabetes-related complications.The dashed outline 66 represents the boundary of components provided bythe system. As depicted by the drawings of the embodiments, the safetylayer maintains these boundary input/output conditions so that outsidedesigners can then use rapid controller development environments toperform artificial pancreas research and development, as well as designand/or development of new control algorithms and/or new controllers. Forexample, software could be ported into a future controller moduleproduct with minimal code change to software within other components ofthe overall system.

In some embodiments, controller module 12 includes a bridge between CGMsensor 31 and pump 35, but may not be designed by the same pump orsensor designer/manufacturer. Further, the controller module may includea software algorithm that is updated over time to accommodate change innecessary calculations based on a user's status, or change intechnology. The pump and/or sensor may also require updated hardware orsoftware, or may be changed due to further changes in technology orunforeseen problems with past design. The dissimilarity between pump andsensor and controller may cause potential conflicts due to unforeseenincompatibilities between the system components. Thus, the safety layeris directed to a wrapper around pump 35 and sensor 31 with theanticipation that the controller module may be designed by anoutside/third-party designer/manufacturer. In other embodiments, thesafety layer is equally applicable to controller modules. The featuresof the safety layer and its components and hardware and/or software maybe incorporated into controller module hardware and/or software usingthe same techniques.

The safety layer in accordance with aspects of the present invention isimplemented by incorporating a model that takes into account of thecharacteristics of pump 21 and CGM sensor 31 within system 10. Since onecompany's design may determine the evolution of the hardware andsoftware components of pump 35 and CGM sensor 31 safety layer 100preferably resides around these components.

In one embodiment, still referring to FIG. 2, the interface boundaries66 of safety layer (shown by a dotted line) manages signals between pump35 and/or CGM sensor 31 and control module 12. When an algorithm isdesigned for a system with a specific pump, and the pump is replaced byanother one whose maximum basal rate is significantly lower than theprevious pump, or one whose maximum bolus amount is significantly lowerthan the previous pump, the absence of the safety layer requires aredesign of the control algorithm. Failure to do so could result in themismatch between predicted glucose and observed glucose (through one ormore glucose measuring devices) to be perceived as a model parametermismatch and/or internal state discrepancy to be compensated further.Depending on the dynamic interaction between the assumed model and thecontroller structure, this further compensation, which will not likelyassume an input limitation mismatch, could result in unnecessarily largeor small insulin amount to be delivered in the subsequent sampleinstances. At best, this could case a drift in how the actual glucosetracks a desired profile. One undesirable scenario is a windup phenomenawhich results in an exaggerated overshoot towards hyperglycemia,followed by hypoglycemia. To solve these problems, in one aspect,interface 66 manages safety constraints and hardware and/or softwarelimits that may not be taken into account explicitly by a particularcontrol algorithm architecture or hardware. It also allows outsidedevelopment of many independent control algorithms and/or hardwaredevices while at the same time ensuring that safety limits are accountedfor, and further allows minimal control algorithm change when acomponent with specific hard limits is replaced-by another componentwith different hard limits.

The depicted closed loop system can be modeled by transfer functionsA(.), P(z), and H(z). FIG. 3 illustrates a closed loop system thatincludes of: (1) a pump as an actuator A(.) whose output is bounded byconstants on the upper and lower limits, (2) a user represented by adynamic user model P(z), (3) a sensor model H(z), and (4) controllermodel K(z) designed to determine the proper actuator output at specifictime intervals based on information partially provided by the sensorunit. Any model whose transfer function is described using the zoperator implies that a linear version is possible, such that a lineartransfer function can be created using z transform to represent a model.These models are embodied by their respective modules (for example,controller module) which may be further incorporated in, or representedby, sensor 31, pump 35, and electronic device 12. Actuator module A( )is the only module that has a more generic notation “(.)” because theoutput bounds do not allow for a linear model representation.

Turning to FIGS. 4A and 4B, the present embodiment uses a control designarchitecture as a safety layer to compensate for, and manage, systemswith bounded input, state, and/or output. Safety layer may include oneor more hardware and/or software components and/or modules, and, thus,for the purpose of this disclosure, the safety layer may be referred toas multiple modules or as a single module interchangeably. In thedepicted embodiment, the safety layer includes multiplecomponents/modules. A controller input safety layer 401 and a controlleroutput safety layer 402 are depicted as integrated in IDM system 10.Input safety layer 401 modifies the CGM sensor signal to the controllermodule and output safety layer 402 modifies the controller module'saction (for example, for an insulin bolus amount) to the actuator (forexample, an insulin pump). The modifications are made such that thestability of the system under these known bounds is preserved and thatthere is minimal performance degradation should a particular controllermodule (which may be developed by an outside designer) fail to accountfor one or more bounds/limits. The main benefit is that modularity ofthe components, such as an outside-designed control algorithm or apresently designed pump, etc., is maximized while minimizing the hazardof exceeding certain limits imposed by these components.

In some embodiments, control module 12 is primarily responsible forcomprising the control algorithm. In one embodiment, the safety layermay not need to be aware of the particular control algorithmarchitecture, although it knows the value of the latest control actions.Such control actions include, but are not exclusive to insulin and/orglucagon delivery. In this embodiment, the safety layer merely serves asan outer layer to a particular control algorithm architecture designedby any outside designer.

For example, consider the case of an insulin pump 35 that replaces onewith a different maximum delivery rate. To a certain extent, the safetylayer can make necessary adjustments without requiring any adjustment tothe control algorithm designed by an outside designer. When the controlalgorithm issues a delivery rate that is higher than the current pump'sability, the safety layer keeps track of the necessary correction thatneeds to be made in the subsequent sample times in order to preventsystem instability or limit cycles from occurring.

All correction tracking data, state, values of past and present controlactions and other data and information are converted to digital data andstored in a memory module for retrieval by the safety layer system. Inone embodiment, the memory module is a hardware component that is partof a separate safety layer hardware circuitry. In another embodiment,the safety layer is configured to use existing memory of either the pumpor CGM sensor systems.

In order to ensure that the known limits are accounted for withoutdepending on the particular combination of controller architectureand/or hardware components such as the particular pump model, a safetylayer can be constructed as shown in FIG. 4A. In this embodiment, whencontroller 12 does not account for a limit set by the pump architecture,the safety layer will intervene appropriately by making adjustments tothe pump command 403 and CGM data 404, transforming them into a modifiedpump command 405 and modified CGM data 406, respectively. Otherwise, thesafety layer will remain idle in the background providing no change tothe signal.

In a further embodiment, still referring to FIGS. 4A and 4B, the safetylayer exists as two distinct components. As shown by FIG. 4B, withoutloss of generality, a feed forward component of the outside designer'scontroller is ignored, and the system looks only at the effect of thefeedback component expressed as a discrete time transfer function, K(z).In this embodiment, pump 35 is expressed as a nonlinear model A( ) dueto the insulin delivery limit, the user is expressed in terms of P(z),and CGM sensor 31 is expressed in terms of H(z).

In one embodiment, shown by FIG. 5, a controller architecture calledLinear Conditioning is used as a safety layer. The safety layer is nowrepresented by specific transfer functions. To this end, the top partcontains two modules that can be designed, namely M(z)-I and PHM(z), inwhich the P(z) and H(z) are determined a priori by the model of the“user” and “sensor,” respectively.

(1) The role of M(z)-I is to minimize the decay time of the unwantedeffect of a saturation event into the system, while

(2) the role of PHM(z) is to minimize the peak transient amplitude ofthe unwanted effect of a saturation event into the system at any giventime.

The term “saturation event” in this context implies an event in whichthe controller module K(z) generates a command that exceeds the actuatorbounds. Since M(z) is the only tunable model, this becomes a tradeoffbetween tuning M(z) to minimize decay time or to minimize any transientpeaks. For example, designing M(z) to minimize decay time only mayresult in PHM(z) allowing one or more large transient peaks to propagateinto the system output (and system behavior). On the other hand,designing M(z) to minimize transient peaks may result in the transientsdue to a saturation event to last a very long time. The secondconsideration in addition to the tradeoff is that M(z) must be tunedsuch that the feedback path in FIG. 4 comprising of the I-A(.) block andthe M(z)-I block is stable, and that the PHM(z) block isBounded-Input-Bounded-Output (BIBO) stable. It should be noted that asystem/block is BIBO stable if given a bounded input, the output remainsbounded as well. Moreover, the details of tuning M(z) to meet thedescribed set of criteria is a process common to those skilled in theart of control system design.

A modified pump command is thus represented byu ₁(z)=u(z)−u _(d)(z)

-   -   wherein        u _(d)(z)=[M(z)−I][I−A(.)]u ₁(z)

In these equations I represents the identity function, and M(z) is theonly design element when the Linear Conditioning architecture is used.

The first line converts the pump command u(z) into modified pump commandu₁(z). The second line keeps track of the modified pump command to bedelivered in future sample times based on all prior modified pumpcommands. This is the component that ensures that any inaccuraciescaused by reduced pump output are accounted for in the future. The onlycomponent that is not directly based on any of the system assumption isthe transfer function M(z).

The second group, the controller input safety layer, consists of thefollowing set of equations:y(z)=y _(s)(z)+y _(d)(z)yd(z)=PHM(z)[I−A(.)]u1(z)

The first line converts the CGM output y_(s)(z) into a modified outputy(z) as seen by the feedback controller K(z). The second line keepstrack of how the output should be modified based on all prior modifiedpump commands. The term PHM(z) corresponds to the time convolution ofthe user model P(z), CGM model H(z), and M(z) previously described

FIG. 5 is illustrative of one example of linear conditioning as a safetylayer. The role of the linear conditioning modules as a safety layer canbe best explained by rearranging the diagram in FIG. 5 into FIG. 6. Theequivalent block shown in FIG. 6 illustrates that when designedproperly, the system could be viewed as two different parts. The first(or lower) part includes the controller module K(z), user module P(z),and sensor module H(z). As long as the controller does not generatesignals that saturate the actuator, then the modules in the second (orupper) part will not generate any signal that affects the system, andthe overall system behavior will be in accordance with the systemwithout saturation limits. However, if K(z) generates a signal thatexceeds the actuator's bounds, blocks in the upper area will exhibit atransient. When this occurs, the modules M(z)-I and PHM(z) attempts tominimize the peak and duration of the transient disturbance caused bythe saturation. These modules are designed with parameters to preservestability of the overall system.

The components above the dashed line remain inactive until thecontroller K(z) issues a command that exceeds a certain limit. Hence, aslong as the limit is not exceeded, the system behaves as if the limitdoes not exist, as indicated by the fact that the elements below thedashed line are only the nominal components of the system minus thelimit and the Linear Conditioning modules.

An exemplary system incorporates physiological models of insulin andglucose compartments. The intent is not to choose a specific model,rather to illustrate how the safety mechanism described herein can bepracticed.

Suppose the user's insulin response to a sub-cutaneous insulin infusion(from the actuator) can be described by the following continuous timedomain set of equations:

$\overset{.}{S} = {{{- k_{a}}S} + u_{I}}$$\overset{.}{I} = {{{- k_{e}}I} + {\left( \frac{k_{a}}{V_{I}} \right)S}}$${\overset{.}{x}}_{E} = {k_{aE}\left( {{- x_{E}} + I} \right)}$${\overset{.}{x}}_{T} = {k_{aT}\left( {{- x_{T}} + I} \right)}$${\overset{.}{x}}_{D} = {k_{aD}\left( {{- x_{D}} + I} \right)}$

Where u_(I) is the sub-cutaneously delivered insulin infusion rate fromthe actuator, S is an intermediary plasma insulin compartment, I is theplasma insulin concentration, and x_(E), x_(T), and x_(D) correspond tothe effective insulin compartments that affect endogenous glucoseproduction, glucose transport, and glucose disposal, respectively. V_(I)corresponds to total insulin volume, and parameters k* correspond todecay rates of each corresponding compartment.

Suppose the user's glucose response to effective insulin can bedescribed by the following 3 compartment model:ġ _(b) x _(T) g _(b) +k _(b/h) +f(x _(E))ġ _(h) =x _(D) g _(h) +x _(T) g _(b)ġ _(i) =k _(ai)(−g _(i) +g _(b))

Where g_(b), g_(h), and g_(i) are glucose in the blood, hepatic, andinterstitial compartments.

Suppose the sensor can be modeled by the following equation:

$y = {\frac{1}{V_{G}}g_{i}}$

Where V_(G) is the glucose volume, such that the sensor reads glucoseconcentration instead of glucose amount. Note that without loss ofgenerality, the non trivial task of calibrating the sensor such that itgenerates signals that are appropriately calibrated into glucoseconcentration units is assumed to be provided by one or more modulesoutside the scope of this discussion. As a result, the measurement y isspecified in terms of the appropriate unit. In at least one embodimentsensor noise is assumed to be negligible.

The equations described thus far make up the equations used to representthe user P and sensor H models. Putting the equations together, andlinearizing the equations at every operating point, one obtains thefollowing state space equation in the continuous time domain:

$\frac{\mathbb{d}}{\mathbb{d}t}{{\quad{\begin{bmatrix}S \\I \\x_{E} \\x_{T} \\x_{D} \\g_{b} \\g_{h} \\{gi}\end{bmatrix} = \mspace{34mu}{\quad{\quad\quad}\quad}}\quad}\left\lbrack \begin{matrix}{- k_{a}} & 0 & 0 & 0 & 0 & 0 & 0 & 0 \\{k_{a}\text{/}V_{I}} & {- k_{e}} & 0 & 0 & 0 & 0 & 0 & 0 \\0 & k_{aE} & {- k_{aE}} & 0 & 0 & 0 & 0 & 0 \\0 & k_{aT} & 0 & {- k_{aT}} & 0 & 0 & 0 & 0 \\0 & k_{aD} & 0 & 0 & {- k_{aD}} & 0 & 0 & 0 \\0 & 0 & {\frac{f\left( x_{E} \right)}{x_{E}}❘_{t = k}} & 0 & 0 & {{- x_{T}}\text{❘}_{t = k}} & k_{\frac{b}{h}} & 0 \\0 & 0 & 0 & 0 & 0 & {x_{T}\text{❘}_{t = k}} & {x_{D}\text{❘}_{t = k}} & 0 \\0 & 0 & 0 & 0 & 0 & k_{ai} & 0 & k_{ai}\end{matrix} \right\rbrack}{\quad{{\quad{\quad\quad}\quad}{\quad{\left\lbrack \begin{matrix}S \\I \\x_{E} \\x_{T} \\x_{D} \\g_{b} \\g_{h} \\{gi}\end{matrix} \right\rbrack{\quad{{\quad + \quad}{\quad{{\left\lbrack \begin{matrix}1 \\0 \\0 \\0 \\0 \\0 \\0 \\0\end{matrix} \right\rbrack u_{I}\mspace{85mu} y} = {{\begin{bmatrix}0 & 0 & 0 & 0 & 0 & 0 & 0 & \frac{1}{V_{G}}\end{bmatrix}\begin{bmatrix}S \\I \\x_{E} \\x_{T} \\x_{D} \\g_{b} \\g_{h} \\{gi}\end{bmatrix}} + {\lbrack 0\rbrack u_{I}}}}}}}}}}}$

Define the following:

$\mspace{79mu}{{x_{PH}:=\begin{bmatrix}S \\I \\x_{E} \\x_{T} \\x_{D} \\g_{b} \\g_{h} \\{gi}\end{bmatrix}},{A:={\left\lbrack \begin{matrix}{- k_{a}} & 0 & 0 & 0 & 0 & 0 & 0 & 0 \\{k_{a}/V_{I}} & {- k_{e}} & 0 & 0 & 0 & 0 & 0 & 0 \\0 & k_{aE} & {- k_{aE}} & 0 & 0 & 0 & 0 & 0 \\0 & k_{aT} & 0 & {- k_{aT}} & 0 & 0 & 0 & 0 \\0 & k_{aD} & 0 & 0 & {- k_{aD}} & 0 & 0 & 0 \\0 & 0 & {\frac{f\left( x_{E} \right)}{x_{E}}❘_{t = k}} & 0 & 0 & {{- x_{T}}❘_{t = k}} & k_{\frac{b}{h}} & 0 \\0 & 0 & 0 & 0 & 0 & {x_{T}❘_{t = k}} & {x_{D}❘_{t = k}} & 0 \\0 & 0 & 0 & 0 & 0 & k_{ai} & 0 & k_{ai}\end{matrix} \right\rbrack{\quad{{{{\quad{\quad\quad}\quad}\mspace{79mu} B}:=\begin{bmatrix}1 \\0 \\0 \\0 \\0 \\0 \\0 \\0\end{bmatrix}},\mspace{79mu}{C:=\begin{bmatrix}0 & 0 & 0 & 0 & 0 & 0 & 0 & \frac{1}{V_{G}}\end{bmatrix}},\mspace{79mu}{D:=\lbrack 0\rbrack},\mspace{79mu}{u:=u_{I}}}}}}}$

Then, the user-sensor model PH can be described using the state spacerepresentation (A, B, C, D), where:{dot over (x)} _(PH) =Ax _(PH) +Buy=Cx _(PH) +Du

Laplace transform can be applied to the continuous time domain statespace description above to obtain PH(s), and any suitable discretizationmethod such as zero-order-hold can be used to create the z-transformequivalent PH(z) referenced in FIGS. 2, 3B, 4, and 5. It should be notedthat the particular choice of the model used in the above illustrationdoes not constrain this implementation. Rather, it provides a moreconcrete example in the derivation of the state space representation (A,B, C, D) of the user-sensor module combination PH, and that methods todescribe this combination in the z domain PH(z) exist and will not bediscussed in further detail.

While there are many different ways to design the Linear Conditioningmodules M(z)-I and PHM(z), one method called Direct M Design, as used inWeston and Postlethwaite, Linear Conditioning for Systems ContainingSaturating Actuators, Automatica, 36:1347-1354, 2000, incorporatedherein by reference, is described here due to the benefit of being ableto directly derive most of the linear conditioning (LC) structure andparameters from the user and sensor model assumption. The design isperformed in the continuous time domain first, and converted to discretetime at the end. The continuous time domain state space representationof M depends explicitly on the user and sensor model plus a designparameter F. In particular, M is expressed as ([A+BF], B, F, I), where Iis an identity matrix.

F is chosen such that [A+BF] is stable. One example is to use poleplacement method such that the Eigen values remain on the left halfplane of the s-domain. In addition, F is tuned to obtain a reasonabletradeoff between the peak disturbance caused by saturation and the timeit takes to completely attenuate the disturbance due to saturation. Thefaster the Eigen values of [A+BF] are, the less time it takes tocompletely attenuate a disturbance due to saturation.

The design of safety layer 100 does not require knowledge of thecontroller module K(z). Rather, the design (in this case the tuning ofthe matrix F) depends solely on the user model, and to some degree, thesensor model. Pole placement and other stabilizing feedback designtechniques can be used to determine the best F when new actuatorsaturation limits are enforced by a component change or otherconsiderations. Once the values of the matrix F has been determined, thefirst module of the LC, M(z)-I, can be obtained by first arranging thecontinuous time domain version described in state space as:

${\overset{.}{x}}_{LC} = \left( {\left\lbrack \begin{matrix}{- k_{a}} & 0 & 0 & 0 & 0 & 0 & 0 & 0 \\{k_{a}/V_{I}} & {- k_{e}} & 0 & 0 & 0 & 0 & 0 & 0 \\0 & k_{aE} & {- k_{aE}} & 0 & 0 & 0 & 0 & 0 \\0 & k_{aT} & 0 & {- k_{aT}} & 0 & 0 & 0 & 0 \\0 & k_{aD} & 0 & 0 & {- k_{aD}} & 0 & 0 & 0 \\0 & 0 & {\frac{f\left( x_{E} \right)}{x_{E}}❘_{t = k}} & 0 & 0 & {{- x_{T}}❘_{t = k}} & k_{\frac{b}{h}} & 0 \\0 & 0 & 0 & 0 & 0 & {x_{T}❘_{t = k}} & {x_{D}❘_{t = k}} & 0 \\0 & 0 & 0 & 0 & 0 & k_{ai} & 0 & k_{ai}\end{matrix} \right\rbrack{\quad{{{\quad{\quad\quad}\quad} + {\left. \quad{\begin{bmatrix}1 \\0 \\0 \\0 \\0 \\0 \\0 \\0\end{bmatrix}F} \right)x_{LC}} + {\begin{bmatrix}1 \\0 \\0 \\0 \\0 \\0 \\0 \\0\end{bmatrix}u_{s}\mspace{79mu} u_{d}}} = {{Fx}_{LC} + {\lbrack 0\rbrack u_{s}}}}}} \right.$

Where u_(d) is the continuous time domain output of the first module,and u_(s) is the difference between u₁ and u₂ as shown in FIG. 5, andx_(LC) is the set of internal states of the LC. It has no directphysical meaning and can be expressed in infinitely many otherrealizations. Practically, a particular realization is chosen from anumerical condition perspective. One method to achieve this is totransform the realization into one that is called a balancedrealization. The state space above can be expressed in a more compactform as:{dot over (x)} _(LC) =[A+BF]x _(LC) +Buu _(d) =Fx _(LC)

The z transform from u_(s) to u_(d) obtained by discretizing thecontinuous time domain state space equation ([A+BF], B, F, 0) above isthe M(z)-I module described in FIG. 5.

The second LC component is the PHM(z) module, where, given the aboveconstruct, is first described in terms of continuous time domain statespace equation shown below:{dot over (x)} _(LC) =[A+BF]x _(LC) +Buy _(d) =[C+DF]x _(LC) +Du _(s)

Again, the z transform from u_(s) to y_(d) can be obtained bydiscretizing the continuous time domain state space equation ([A+BF], B,[C+DF], D) above to get PHM(z).

Note that the continuous time domain state space equations used toderived both M(z)-I and PHM(z) share the same dynamic element. This owesto the fact that the dynamic element is driven by the user-sensor model(A, B, C, D) and the tunable LC matrix F. Equivalently, one can define acontinuous time domain state space representation as follows:

${\overset{.}{x}}_{LC} = {{{\left\lbrack {A + {BF}} \right\rbrack x_{LC}} + {{Bu}_{s}\begin{bmatrix}u_{d} \\y_{d}\end{bmatrix}}} = {{\begin{bmatrix}F \\{C + {DF}}\end{bmatrix}x_{LC}} + {\begin{bmatrix}0 \\D\end{bmatrix}u_{s}}}}$

And then obtain the z transform equivalent to compute the outputs u_(d)and y_(d) of the M(z)-I and PHM(z) modules in response to the differencebetween the unsaturated and saturated control commands u₁ and U₂.

FIG. 6 is illustrative of an equivalent representation of the feedbacksystem using Linear Conditioning as a safety layer. Once a limit isexceeded, the command u issued by the controller K(z) that enters afeedback path above the dashed line can no longer be blocked by theelement I-A(.), which is the complement of the saturation function. Thisstarts an initial condition to the upper feedback path, eventually“contaminating” the actual output of the sensor, y_(s). This is wherethe design of M(z) is made such that the transient due to the command uexceeding a limit is as minimal as possible.

The safety layer is transparent to outside designers, such that it willonly intervene when a particular value constraint is not met by aparticular controller. If, for instance, electronic device 12 issues acommand to pump 35 within the limits of the pump, and the pump isreadily able to process, the safety layer will not activate and thecommand will be directly routed to the pump. If, on the other hand, thecommand issued includes a value outside the pump's maximum delivery ratethe safety layer will intervene and the output signal will be modifiedand input and output and safety parameters stored, for instance, inmemory 40 (of pump 35). The safety layer will then proceed to manageoutput commands based on the stored data, including modified pumpcommands to be delivered in future sample times based on all priormodified pump commands.

The safety layer may include one or more components each of which mayfurther comprise either hardware or software modules, or a combinationof both. Turning to FIG. 7A, system 10 is depicted to include a maincontroller system 701, insulin delivery system 702, CGM component 703,and handheld CGM component 704, that are collectively usable on a user705. In some embodiments, electronic device 12 is part of, or includesmain controller system 701. In some embodiments, main controller system701 is part of, or includes, electronic device 12. In some embodiments,pump 35 is part of, or includes insulin delivery system 702. In someembodiments, insulin delivery system 702 is part of, or includes, pump35. In some embodiments, sensor 31 is part of, or includes CGM component703. In some embodiments, CGM component 703 is part of, or includes,sensor 31. In some embodiments, depicted by FIG. 7B, handheld CGMcomponent 705 is part of, or integrated with main controller system 701.In some embodiments, depicted by FIG. 7C, CGM component 703 is part of,or integrated with insulin delivery system 702. In some embodiments,main controller system 701 is a handheld device, for example, a handheldglucose monitoring device, PDA, smart phone, or the like. In furtherembodiments, main controller system 701 includes a computer, such as apersonal computer, laptop, computer gaming system, smart television, orthe like. It should be apparent to those of ordinary skill in the artthat various adaptations and modifications of the components of system10, and combinations thereof, may be accomplished without departing fromthe spirit and the scope of the invention.

Referring to FIG. 7A, controller input safety layer 401 and controlleroutput safety layer 402 are depicted as integrated in controller system701. As previously shown, the safety layer components may be integratedin any of the above components and in a number of ways. In the depictedembodiment, CGM data 706 is received by input safety layer 401 from CGMcomponent 703 via (optional) controller-communication module 707. Inputsafety layer 401 is configured to receive CGM data 706 from CGMcomponent 703 (for example, via controller-communication module 707),adjust the CGM data values according to the algorithms described herein,and forward a modified CGM data 708 to software component module 709. Inone embodiment, CGM data 706 is stored to a database operably connectedto safety layer 401. In another embodiment, CGM data 706 is passeddirectly to safety layer via an application programming interface (API).In another embodiment, CGM data 706 is stored to a database operablyconnected to software component 709.

Software component module 709, including controller calculation software710 receives modified CGM data 708 from input safety layer 401 andperforms its typical calculation (ignorant of the modification to CGMdata 706) for generating a command 711 for insulin delivery to be sentto insulin delivery system 702. In some embodiments, software componentmodule 709 receives modified CGM data 708 from a database. In oneembodiment, this database is the same database operably connected tosafety layer 401. In another embodiment, this database is operablyconnected to software component module 709. In further embodiments,modified CGM data is received by software component module 709 via anAPI operably connected with module 709 or safety layer 401.

Output safety layer 402 is configured to intercept pump command 711 fromsoftware component module 708, adjust the command parameters accordingto the algorithms described herein, and forward a modified pump command712 to insulin delivery system 702. In some embodiments, output safetylayer 402 receives pump command 711 from a database. In one embodiment,this database is the same database operably connected to safety layer401. In another embodiment, this database is operably connected tosoftware component module 709. In another embodiment, this database isoperably connected to output safety layer 402. It should be understoodthat each component described herein can have its own unique database,or collectively share data from a database or databases operablyconnected to other components. In further embodiments, pump command 711is received by output safety layer 402 via an API operably connectedwith output safety layer 402 or software component module 708.Similarly, modified pump command 712 can be passed by database or byAPI.

In some embodiments, where controller system 701 and insulin system 702are independent and separate components modified pump command 712 isforward via a pump communication module 713. In some embodiments, outputsafety layer 402 is further configured provide feedback information 714to input safety layer 401 in accordance with the above disclosure. Insome embodiments, feedback information 714 is passed to safety layer 401by manipulation of data in a database operably connected to safety layer401, and, in some embodiments, information 714 is passed via an APIbetween input safety layer 401 and output safety layer 402. In someembodiments, feedback information 714 is passed by hardware connectionusing a hardware standard (for example, voltage/current driven). Itshould also be understood from the above disclosure that CGM data 708,modified CGM data 708, pump command 711, modified pump command 712,and/or feedback information 714 can be passed in the form of a hardwarestandard without deviating from the intent of the present invention.

In some embodiments, safety layer 100 includes a common interface forproviding an input to the safety layer and for managing communicationbetween the controller output/inputs, the safety layer, and ultimately,the pump and CGM sensor component systems. In some embodiments, safetylayer includes a hardware component in which both input and outputsremain fixed to a hardware standard (for example, voltage/currentdriven). In one embodiment the outer interface remains fixed over timewhile internal interface may change with updated design of thecorresponding pump or CGM sensor. In some embodiments the interfaceincludes voltage and/or current driven inputs. Such inputs may beanalogue or digital. In these embodiments, the safety layer may comprisean additional memory, processor, communication I/O, and the like, whichmay be integrated with electronic device 12, or medical device 30, 32,or, in some embodiments comprise a separate safety device to be used inconnection with diabetes control system 10.

In another embodiment the safety layer includes an algorithm that ispart of a software component of the system. In this embodiment thealgorithm may incorporated into or encapsulated by the interface, or thealgorithm may comprise a separate software component aggregated by theinterface to the outside designer. In one embodiment the interface is abinary standard, for example, a dynamic linked library (DLL). In thisembodiment the interface represents to outside designers a predefinedgroup of related exposed software functions that are linked to aninternal software class engine. The interface does not necessarilyrepresent all the functions that the inner software class enginesupports. The class engine provides control of the hardware and providesthe safety layer algorithm that processes commands from the controlmodule in accordance with the safety models herein described. An outsidedesigner may then continue to update a control algorithm and/or theclass engine, as long as the internal commands comply with the binarystandard. Thus, as long as the binary interface remains constant theclass engine and related algorithm may be updated periodically toaccommodate change in pump hardware or technology standards. Thesoftware including the interface may be downloaded into, for example,memory 40 of pump 35 to be processed by processor 33.

In one embodiment, as shown by FIGS. 4A and 4B, safety layer isespecially useful when allowed to interact between the sensor andcontroller module. In this embodiment the above described transferfunction PHM(z) represents a saturation flowing as an input into CGMdata received from the sensor whereas to create the equationy=y_(d)+y_(s). In this manner, CGM sensor data may be modified and thecontroller feedback loop intercepted. This allows the controller moduleto adjust accordingly to modified CGM data and account for diminished orincreased insulin delivery as a result of adjustment by the safetylayer. In one embodiment, also shown by FIGS. 4A and 4B, the safetylayer allows for the safe interaction of all of the components withoutexplicitly requiring the controller module K to necessarily be aware ofthe saturation constraints while at the same time maximizing systemsafety and performance. This is achieved without having to modify thecontroller module K because the two main elements of the safety layer,namely a controller output safety layer, and a controller input safetylayer, modifies necessary signals in real-time to achieve thisobjective.

At any time, the controller output safety layer manages present andfuture pump commands based on past and present pump commands in excessof the saturation limits, such that the modified pump command neverexceeds this limit. The controller output safety layer can be thought ofas a buffer of the pump command such that at any given time, saturationdoesn't occur, and that only any necessary portion of the remainingcommand is to be delivered in the future, and that these necessaryportions are to be delivered in the manner such that the system willrespond in a stable and preferred manner in the context of feedbackcontrol design.

Concurrent with the controller output safety layer's role of bufferingthe pump command, the CGM data being sent to the controller must bemodified such that the temporal discrepancy observed between the actualCGM output and the controller's estimate of the sensor due to saturationconstraints will not cause the controller to generate a counterproductive correction. The common elements between the controller outputsafety layer and the controller input safety layer then ensures that thecontroller input safety layer prevents undesired feedback couplingassociated with excessive commands from further degrading the system,and modifies the CGM data so that the controller will discount theeffect of saturation that the controller output safety layer has alreadyconsidered.

In one exemplary illustration, the safety layer module (comprisinglinear conditioning) interface between components keeps track ofcommands in the overall system. In an embodiment in which the safetylayer module interface is integrated with medical device 30, 32, this isaccomplished by writing and reading to memory 40. An older, or thirdparty, insulin pump may have a maximum delivery rate of, for example,one (1) unit per time period n. However, the controller module maydetermine by way of the sensor or method described herein that the userrequires an adjusted delivery of three (3) units. The control outputsafety layer intercepts the pump command from the controller module andcalculates a delivery schedule according to the pump requirements. Inthis instance, the controller module may be further programmed for apump having a maximum limit of two (2) units. The controller module willthen divide the units accordingly, for example, a first delivery of two(2) units followed by a pending second delivery of one (1) unit at alater time (assuming no other change in conditions). The safety layerwill intercept the first delivery to enforce the actual pump rate limit.The memory 40 keeps track of all deliveries and the time of suchdeliveries so that processor 33 can properly calculate a furtherdelivery schedule, with the possibility of a tapered delivery to moresafely deliver the needed medication to the user, whose deliverytrajectory will not excite any system dynamics. The safety layer,knowing that the controller module is programmed for a maximum deliveryof two (2) units and the pump is programmed to accept a maximum deliveryof one (1) unit, generates a delivery of one (1) unit. In this manner,there is one (1) undelivered unit and one (1) pending unit. Theprocessor can read the memory and determine that one (1) pending unitwas not delivered at this instant. At the next time step (t=0+n),assuming the controller module attempts to follow-through on the initialplan, delivers a request for one (1) unit which it had planned todeliver for this time step. The safety layer then counts a total of two(2) units requested, and ensures a maximum of one (1) unit commanded tothe pump. At the next time step (t=0+2n), if the controller module doesnot send any other request, the safety layer then will choose to taperthe delivery of the remaining one (1) unit according to a model-baseduser profile or other preprogrammed delivery profile or input. Thesafety layer may then deliver 0.8 units at t=0+2n and another 0.2 unitsat t=0+3n. In one embodiment, when the safety layer has safely deliveredthe medication to the delivery device the system will again store afinal reading along with all data delivery points and proceed to resetfor the next delivery. These stored constants and/or variables may be afactor in the next delivery schedule. In an embodiment in which thesafety layer module interface resides on electronic device 12 or remotedevice 50, 52, the components therein (for example, memory, processor,I/O) may be employed in the same or similar manner as, or in connectionwith, an embodiment using components of medical device 30, 32.

There are other nonlinear control architecture and synthesis theoriesthat can be used to serve the same role, and the general concept remainsthe same. One embodiment uses a control theory and architecture thatdeals with bounded input, state, or output systems in order to create amodular artificial pancreas platform. Thus, one aspect of the depictedembodiments allows for outside-designed controllers and/or othercomponents to be as modular as possible with respect to limit-relatedhazards.

The foregoing descriptions for the preferred embodiments have beenpresented for the purposes of illustration and description. It is notintended to be exhaustive or to limit the invention to the precise formdisclosed. Many modifications and variations are possible in light ofthe above teaching. It is intended that the scope of the invention notbe limited by this detailed description, but by the claims and theequivalents to the claims appended hereto.

Thus, it can be seen that present invention provides a safety layer foruse in a closed loop or semi-closed loop integrated diabetes management(IDM) system that provides modularity for rapid development of systemcomponents by different designers, and bestows an increased sense offreedom to the user, such as the ability to self-medicate in conjunctionwith a closed-loop system, all while providing for safety in theaccurate delivery of insulin. In one aspect, the safety layer of thepresent invention provides a tradeoff between system safety andperceived system flexibility. In another aspect, the safety layerfurther envelops critical components of an IDM system to maximize themodularity of system components with respect to value constraints thatcan change due to component hardware and software upgrades over the lifeof the system. Practically, this means that as new components are beingintroduced in place of older ones, new constraints and new values ofexisting constraints will not render an existing controller obsolete andin dire need for a redesign. Moreover, integrating such a safety layerwith a CGM sensor and a pump, allows rapid controller development byoutside hardware and/or software designers. Overall, the safety layerprovides an abstraction layer between the maintained components andoutside designed components to greatly increase the robustness of theoverall system.

Although the present invention has been described in detail with regardto the preferred embodiments and drawings thereof, it should be apparentto those of ordinary skill in the art that various adaptations andmodifications of the present invention may be accomplished withoutdeparting from the spirit and the scope of the invention. Accordingly,it is to be understood that the detailed description and theaccompanying drawings as set forth hereinabove are not intended to limitthe breadth of the present invention.

1. An integrated diabetes management system, comprising: a glucosesensor configured to provide sensor glucose data representative ofsensed glucose; a delivery device configured to deliver medication inresponse to a delivery control signal; a communication module; acontroller programmed to receive glucose data and to provide an outputcontrol signal as a function of the received glucose data; and a safetylayer programmed to receive at least one of the sensor glucose data andthe output control signal, and to modify at least one of the sensorglucose data and the output control signal; wherein the glucose datawould be modified to become modified glucose data wherein the outputcontrol signal would be modified to become a modified output controlsignal that would be provided as the delivery control signal; whereinthe controller comprises a controller calculation software moduleconfigured to provide the output control signal; wherein thecommunication module is configured to provide the delivery controlsignal to the delivery device; and wherein the safety layer isconfigured to intercept the output control signal and substitute themodified control signal to the communication module without anyreconfiguration of the communication module or the controllercalculation software module.
 2. An integrated diabetes managementsystem, comprising: a glucose sensor configured to provide sensorglucose data representative of sensed glucose; a delivery deviceconfigured to deliver medication in response to a delivery controlsignal; a controller programmed to receive glucose data and to providean output control signal as a function of the received glucose data; anda safety layer programmed to receive at least one of the sensor glucosedata and the output control signal, and to modify at least one of thesensor glucose data and the output control signal; wherein the glucosedata would be modified to become modified glucose data wherein theoutput control signal would be modified to become a modified outputcontrol signal that would be provided as the delivery control signal;wherein the controller comprises a controller calculation softwaremodule configured to receive glucose data and provide the output controlsignal; and wherein the safety layer is configured to intercept thesensor glucose data from the glucose sensor and substitute the modifiedglucose data to the controller calculation software module without anyreconfiguration of the glucose sensor or the controller calculationsoftware module.
 3. An integrated diabetes management system comprising:a glucose sensor configured to provide sensor glucose datarepresentative of sensed glucose; a delivery device configured todeliver medication in response to a delivery control signal; acontroller programmed to receive glucose data and to provide an outputcontrol signal as a function of the received glucose data; and a safetylayer programmed to receive at least one of the sensor glucose data andthe output control signal, and to modify at least one of the sensorglucose data and the output control signal; wherein the glucose datawould be modified to become modified glucose data; wherein the outputcontrol signal would be modified to become a modified output controlsignal that would be provided as the delivery control signal; whereinthe delivery device has a maximum delivery rate; and wherein the safetylayer is further programmed to: determine the maximum delivery rate ofthe delivery device; determine an amount of medication to be deliveredby the output control signal; and if the output control signal isconfigured for a higher delivery rate than the maximum delivery rate ofthe delivery device, the safety layer calculates a modified deliveryrate and delivery schedule based at least in part on the maximumdelivery rate of the delivery device to achieve delivery of the sameamount of medication as configured by the output control signal.
 4. Theintegrated diabetes management system of claim 3, wherein the safetylayer is further programmed to taper the modified delivery rate over thedelivery schedule.
 5. The integrated diabetes management system of claim3, further comprising a visual display; wherein the safety layer isfurther programmed to display the modified delivery rate and thedelivery schedule.
 6. An integrated diabetes management system,comprising: a glucose sensor configured to provide sensor glucose datarepresentative of sensed glucose; a delivery device configured todeliver medication in response to a delivery control signal; acommunication module; a controller programmed to receive glucose dataand to provide an output control signal as a function of the receivedglucose data; and a safety layer programmed to receive at least one ofthe sensor glucose data and the output control signal, and to modify atleast one of the sensor glucose data and the output control signal;wherein the glucose data would be modified to become modified glucosedata wherein the output control signal would be modified to become amodified output control signal that would be provided as the deliverycontrol signal; wherein the glucose sensor includes an output having afirst range representative of glucose levels; wherein the controller hasan input having a second range representative of glucose levels, whereinthe second range is different from the first range; and wherein thesafety layer is configured to receive glucose data from the glucosesensor, modify the received glucose data for compatibility with thesecond range, and substitute the modified glucose data to the input ofthe controller.
 7. An integrated diabetes management system, comprising:a glucose sensor configured to provide sensor glucose datarepresentative of sensed glucose; a delivery device configured todeliver medication in response to a delivery control signal; acontroller programmed to receive glucose data and to provide an outputcontrol signal as a function of the received glucose data; and a safetylayer programmed to receive at least one of the sensor glucose data andthe output control signal, and to modify at least one of the sensorglucose data and the output control signal; wherein the glucose datawould be modified to become modified glucose data wherein the outputcontrol signal would be modified to become a modified output controlsignal that would be provided as the delivery control signal; whereinthe glucose sensor provides glucose data having a first format; andwherein the controller is configured to receive glucose data having asecond format; wherein the safety layer is further programmed to:determine if the first format and the second format are equivalent; ifthe first and second data formats are not equivalent, the safety layeris programmed to modify the glucose data signals to the second formatand substitute the modified glucose signals to the controller.
 8. Anintegrated diabetes management system, comprising: a glucose sensorconfigured to provide sensor glucose data representative of sensedglucose; a delivery device configured to deliver medication in responseto a delivery control signal; a controller programmed to receive glucosedata and to provide an output control signal as a function of thereceived glucose data; and a safety layer programmed to receive at leastone of the sensor glucose data and the output control signal, and tomodify at least one of the sensor glucose data and the output controlsignal; wherein the glucose data would be modified to become modifiedglucose data wherein the output control signal would be modified tobecome a modified output control signal that would be provided as thedelivery control signal; wherein the safety layer further comprises: aninput safety module operably connected to the glucose sensor; an outputsafety module operably connected to the medication delivery device;wherein the output safety module provides feedback to the input safetymodule; wherein the feedback comprises a function of a limit on thedelivery device and the modified control signal; and wherein themodified glucose data is further determined as a function of thefeedback.
 9. An integrated diabetes management system, comprising: aglucose sensor configured to provide sensor glucose data representativeof sensed glucose; a delivery device configured to deliver medication inresponse to a delivery control signal; a controller programmed toreceive glucose data and to provide an output control signal as afunction of the received glucose data; and a safety layer programmed toreceive at least one of the sensor glucose data and the output controlsignal, and to modify at least one of the sensor glucose data and theoutput control signal; wherein the glucose data would be modified tobecome modified glucose data; wherein the output control signal would bemodified to become a modified output control signal that would beprovided as the delivery control signal; wherein the safety layerfurther comprises: an input safety module operably connected to theglucose sensor; and an output safety module operably connected to themedication delivery device; wherein the delivery control signal isrepresentative of a required medication amount for delivery, and whereinthe safety layer determines a maximum delivery rate of the medicationdelivery device and is configured to calculate a delivery schedule as afactor of the maximum delivery rate and the required medication amount,the required medication amount being determined at least partially bythe sensed glucose.
 10. The integrated diabetes management system ofclaim 9, further comprising: a memory module; and an input, wherein thesafety layer is configured to store the required medication amount inthe memory module and update the required medication amount according toa remaining delivery schedule, the modified output control signal, and adelivery command received at the input.
 11. The integrated diabetesmanagement system of claim 9, wherein the delivery schedule is a tapereddelivery of insulin.
 12. An integrated diabetes management system,comprising: a glucose sensor configured to provide sensor glucose datarepresentative of sensed glucose; a delivery device configured todeliver medication in response to a delivery control signal; acontroller programmed to receive glucose data and to provide an outputcontrol signal as a function of the received glucose data, thecontroller including a controller calculation software module configuredto provide the output control signal; a communication module configuredto provide the delivery control signal to the delivery device; and asafety layer programmed to monitor the amount of medication delivered,to receive at least one of the sensor glucose data and the outputcontrol signal, and to modify at least one of the sensor glucose dataand the output control signal as a function of the amount of medicationdelivered; wherein the glucose data would be modified to become modifiedglucose data; and wherein the output control signal would be modified tobecome a modified output control signal that would be provided as thedelivery control signal; wherein the safety layer includes an inputsafety module operably connected to the glucose sensor and an outputsafety module operably connected to the medication delivery device;wherein the output safety module provides feedback to the input safetymodule; and wherein the safety layer is configured to intercept theoutput control signal and substitute the modified control signal to thecommunication module without any reconfiguration of the communicationmodule or the controller calculation software module.
 13. The integrateddiabetes management system of claim 12, wherein: the delivery controlsignal is representative of a required medication amount for delivery,and wherein the safety layer determines a maximum delivery rate of themedication delivery device and is configured to calculate a deliveryschedule as a factor of the maximum delivery rate and the requiredmedication amount, the required medication amount being determined atleast partially by the sensed glucose.